CaCert Certificate

From wiki.breedveld.net
Revision as of 13:56, 28 April 2010 by Roland (Talk | contribs)

Jump to: navigation, search

CaCert wildcard certificate setup in your Zimbra mail server

create an CaCert account and domain in https://www.cacert.org

create a server certificate for a wild-card domain in Zimbra (as root) : 

mkdir -p /data/Cerificaten/CaCert
cd /data/Cerificaten/CaCert
/opt/zimbra/bin/zmcertmgr createcsr comm -new "/CN=*.breedveld.net/C=NL/O=Breedveld/OU=Breedveld" -subjectAltNames mailserver.breedveld.net
cat /opt/zimbra/mailboxd/webapps/zimbraAdmin/tmp/current.csr

(change the domain in your domain)

On the CaCert site, if you didn't do that already, register yourself and your domain.

create on the CaCert site a new server certificate, with the above generated cert.

cut-and-paste the received certificate from the CaCert site in commercial.crt and place it in the right zimbra dir: 

cp commercial.crt /opt/zimbra/ssl/zimbra/commercial/commercial.crt

retreive the CaCert root certs: 

wget https://www.cacert.org/certs/root.crt  --no-check-certificate
wget https://www.cacert.org/certs/class3.crt  --no-check-certificate

Activating the certificates in Zimbra: 

cat root.crt class3.crt > ca_chain.crt
/opt/zimbra/bin/zmcertmgr verifycrt comm
/opt/zimbra/bin/zmcertmgr deploycrt comm commercial.crt ca_chain.crt

Check the certificates: 

/opt/zimbra/bin/zmcertmgr viewdeployedcrt

Restart Zimbra 

/etc/init.d/zimbra restart

Configure apache as ssl-proxy for Zimbra with the same certificate
place the commercial.crt (see above) in:
/etc/pki/tls/certs/commercial.crt
change your virtual-host settings in apache: 

<VirtualHost *:443>
   DocumentRoot "/var/www/html/breedveld.net"
   ServerName mailserver.breedveld.net
   ProxyRequests Off
   <Proxy *>
     Order allow,deny
     Allow from all
   </Proxy>
   SSLProxyEngine On
   SSLProxyCACertificateFile /etc/pki/tls/certs/commercial.crt
   ProxyPass / https://mailserver.breedveld.net:443/
   ProxyPassReverse / https://mailserver.breedveld.net:443/
</VirtualHost>

Using the same Zimbra wild-card certificate on your apache server
Copy the Zimbra certificate files commercial.crt commercial.key and class3.crt
from your zimbra server: /opt/zimbra/ssl/zimbra/commercial
to your apache server: /etc/pki/tls/certs/
Copy the above created concatenated chainfile ca_chain.crt also there

Your Apache ssl.conf (or httpd.conf) should contain the following rows: 

SSLEngine on
SSLProtocol all -SSLv2
SSLCipherSuite ALL:!ADH:!EXPORT:!SSLv2:RC4+RSA:+HIGH:+MEDIUM:+LOW
SSLCertificateFile /etc/pki/tls/certs/commercial.crt
SSLCertificateKeyFile /etc/pki/tls/certs/commercial.key
SSLCertificateChainFile /etc/pki/tls/certs/ca_chain.crt
SSLCACertificateFile /etc/pki/tls/certs/class3.crt

Don't forget to restart or reload Apache

Installing CaCert certificates in Ubuntu and Firefox
While Ubuntu and Mozilla don't deliver their product out of the box with the CaCert root certificate (shame them), you need to install them yourself:

sudo apt-get install ca-certificates

After this activate it in firefox:

firefox /usr/share/ca-certificates/cacert.org/*.crt

Installing CaCert certificates in Google Chromium browser
Google Chrome uses Mozilla's NSS for the certificates, you need the certutil tool to manage it: 

sudo apt-get install libnss3-tools
sudo apt-get install curl

import the root certs for Chrome: 

curl -k -o "cacert-root.crt"   "http://www.cacert.org/certs/root.crt"
curl -k -o "cacert-class3.crt" "http://www.cacert.org/certs/class3.crt"
certutil -d sql:$HOME/.pki/nssdb -A -t TC -n "CAcert.org" -i cacert-root.crt 
certutil -d sql:$HOME/.pki/nssdb -A -t TC -n "CAcert.org Class 3" -i cacert-class3.crt
Retrieved from "https://wiki.breedveld.net/index.php?title=CaCert_Certificate&oldid=6759"